agenttesla | e07ed44650299b049af6ac30d65a87a46fd12ebfb2f955124d84af0ebf7844f5

Analysis

max time kernel
96s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB SHIPMENT DOCS.exe
Size

1.0MB
MD5

ae68aad90d2c563d7224615d4f8e6532
SHA1

3bafaff78a3654ec5fb1eb6e7c73a167ec619ba1
SHA256

ba4a2766012fbcfc2ed208ae30f8deaa5710aee9c72db381ed9047faeb052782
SHA512

3a3851e938b6d2ac8bfb291fcd9c9e28f0514c088400e6b8cf1d78021c0d64933bfb7a45b9771ba7d51e69d39d60f7b795ab072a3dceb56d4058bed741251210
SSDEEP

24576:NO4Kkygdqb66CvqcAPKOWOUcSsunDyK0:NO4Kky5u1NOxJSsuDyK

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.udupis.com
Port:
587
Username:
sales@udupis.com
Password:
skills150

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1220-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1220-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1220-66-0x00000000004375CE-mapping.dmp	family_agenttesla
behavioral1/memory/1220-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1220-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1220-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL AWB SHIPMENT DOCS.exe

description pid process target process

PID 1044 set thread context of 1220 1044 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DHL AWB SHIPMENT DOCS.exe

pid process

1220 DHL AWB SHIPMENT DOCS.exe
1220 DHL AWB SHIPMENT DOCS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL AWB SHIPMENT DOCS.exe

description pid process

Token: SeDebugPrivilege 1220 DHL AWB SHIPMENT DOCS.exe

description	pid	process	target process
PID 1044 set thread context of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe

pid	process
1220	DHL AWB SHIPMENT DOCS.exe
1220	DHL AWB SHIPMENT DOCS.exe

description	pid	process
Token: SeDebugPrivilege	1220	DHL AWB SHIPMENT DOCS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DHL AWB SHIPMENT DOCS.exe

description	pid	process	target process
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe
PID 1044 wrote to memory of 1220	1044	DHL AWB SHIPMENT DOCS.exe	DHL AWB SHIPMENT DOCS.exe

C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-54-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/1044-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1044-56-0x0000000000970000-0x000000000098A000-memory.dmp

Filesize
104KB

Download
memory/1044-57-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/1044-58-0x0000000005690000-0x0000000005726000-memory.dmp

Filesize
600KB

Download
memory/1044-59-0x0000000004450000-0x000000000448E000-memory.dmp

Filesize
248KB

Download
memory/1220-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-66-0x00000000004375CE-mapping.dmp

Download
memory/1220-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads